Block WebRTC Leak using Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Block WebRTC Leak using Squid

Sekar Duraisamy
Hello All,

I have configured squid with the following configuration.

via off
forwarded_for off
request_header_access X-Forwarded-For deny all
request_header_access Host deny all

Squid Version : squid-3.5.20

But still my local IP address and my public IP address are leaked when
i test through WebRTC teat.

Please provide your help to fix this issue.

Thanks
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Eliezer Croitoru
Hey,

Is the proxy a simple forward proxy or a transparent?
Ie what "http_port" line looks like?

Also, you should never use this:
request_header_access Host deny all

if you want http to work properly. I am not sure if it's possible to apply this rule.
Try to use:
forwarded_for delete

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
Sent: Thursday, August 24, 2017 12:26
To: [hidden email]
Subject: [squid-users] Block WebRTC Leak using Squid

Hello All,

I have configured squid with the following configuration.

via off
forwarded_for off
request_header_access X-Forwarded-For deny all
request_header_access Host deny all

Squid Version : squid-3.5.20

But still my local IP address and my public IP address are leaked when
i test through WebRTC teat.

Please provide your help to fix this issue.

Thanks
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Sekar Duraisamy
I am using http_port 3128 ( direct proxy )

On Thu, Aug 24, 2017 at 5:33 PM, Eliezer Croitoru <[hidden email]> wrote:

> Hey,
>
> Is the proxy a simple forward proxy or a transparent?
> Ie what "http_port" line looks like?
>
> Also, you should never use this:
> request_header_access Host deny all
>
> if you want http to work properly. I am not sure if it's possible to apply this rule.
> Try to use:
> forwarded_for delete
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
> Sent: Thursday, August 24, 2017 12:26
> To: [hidden email]
> Subject: [squid-users] Block WebRTC Leak using Squid
>
> Hello All,
>
> I have configured squid with the following configuration.
>
> via off
> forwarded_for off
> request_header_access X-Forwarded-For deny all
> request_header_access Host deny all
>
> Squid Version : squid-3.5.20
>
> But still my local IP address and my public IP address are leaked when
> i test through WebRTC teat.
>
> Please provide your help to fix this issue.
>
> Thanks
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Amos Jeffries
Administrator
On 25/08/17 03:21, Sekar Duraisamy wrote:
> I am using http_port 3128 ( direct proxy )
>

Then:

  # to hide the proxy
  via off
  forwarded_for transparent

  # to hide the client
  via on
  forwarded_for delete
  request_header_access User-Agent deny all


As you may be able to tell from those you cannot hide both at once.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Sekar Duraisamy
Thanks Amos, Can i use the above configuration even though I am using
tcp_outgoing_address in the squid conf?

I want to make visible only tcp_outgoing_address only visible to
outside and not real client IP.

On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries <[hidden email]> wrote:

> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>
>> I am using http_port 3128 ( direct proxy )
>>
>
> Then:
>
>  # to hide the proxy
>  via off
>  forwarded_for transparent
>
>  # to hide the client
>  via on
>  forwarded_for delete
>  request_header_access User-Agent deny all
>
>
> As you may be able to tell from those you cannot hide both at once.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Amos Jeffries
Administrator
On 25/08/17 14:00, Sekar Duraisamy wrote:
> Thanks Amos, Can i use the above configuration even though I am using
> tcp_outgoing_address in the squid conf?
>
> I want to make visible only tcp_outgoing_address only visible to
> outside and not real client IP.
>

The second set of directives to hide the client will work.

The first set to hide the proxy are kind of pointless when using a
proxy-specific IP address / identifier on all traffic out of the proxy.

Amos


> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>
>>> I am using http_port 3128 ( direct proxy )
>>>
>>
>> Then:
>>
>>   # to hide the proxy
>>   via off
>>   forwarded_for transparent
>>
>>   # to hide the client
>>   via on
>>   forwarded_for delete
>>   request_header_access User-Agent deny all
>>
>>
>> As you may be able to tell from those you cannot hide both at once.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Sekar Duraisamy
Hi,

I have tried the below.

via on
forwarded_for delete
visible_hostname localhost
request_header_access User-Agent deny all

But still I am able to see original client local IP address and Client
Public IP address instead of tcp_outgoing_address as original client
IP.

Am i missed anything here?

On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <[hidden email]> wrote:

> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>
>> Thanks Amos, Can i use the above configuration even though I am using
>> tcp_outgoing_address in the squid conf?
>>
>> I want to make visible only tcp_outgoing_address only visible to
>> outside and not real client IP.
>>
>
> The second set of directives to hide the client will work.
>
> The first set to hide the proxy are kind of pointless when using a
> proxy-specific IP address / identifier on all traffic out of the proxy.
>
> Amos
>
>
>
>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>
>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>
>>>>
>>>> I am using http_port 3128 ( direct proxy )
>>>>
>>>
>>> Then:
>>>
>>>   # to hide the proxy
>>>   via off
>>>   forwarded_for transparent
>>>
>>>   # to hide the client
>>>   via on
>>>   forwarded_for delete
>>>   request_header_access User-Agent deny all
>>>
>>>
>>> As you may be able to tell from those you cannot hide both at once.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Eliezer Croitoru
Can you share the site which shows your real ip address so I can test it locally?
Also what is the output of:
http://myip.net.il/

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
Sent: Monday, August 28, 2017 09:26
To: Amos Jeffries <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Block WebRTC Leak using Squid

Hi,

I have tried the below.

via on
forwarded_for delete
visible_hostname localhost
request_header_access User-Agent deny all

But still I am able to see original client local IP address and Client
Public IP address instead of tcp_outgoing_address as original client
IP.

Am i missed anything here?

On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <[hidden email]> wrote:

> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>
>> Thanks Amos, Can i use the above configuration even though I am using
>> tcp_outgoing_address in the squid conf?
>>
>> I want to make visible only tcp_outgoing_address only visible to
>> outside and not real client IP.
>>
>
> The second set of directives to hide the client will work.
>
> The first set to hide the proxy are kind of pointless when using a
> proxy-specific IP address / identifier on all traffic out of the proxy.
>
> Amos
>
>
>
>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>
>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>
>>>>
>>>> I am using http_port 3128 ( direct proxy )
>>>>
>>>
>>> Then:
>>>
>>>   # to hide the proxy
>>>   via off
>>>   forwarded_for transparent
>>>
>>>   # to hide the client
>>>   via on
>>>   forwarded_for delete
>>>   request_header_access User-Agent deny all
>>>
>>>
>>> As you may be able to tell from those you cannot hide both at once.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Eliezer Croitoru
In reply to this post by Sekar Duraisamy
I remembered something so please also try:
http://ngtech.co.il/ip.php

and compare it to the output of:
http://myip.net.il/

and please let us know what browsers have you tested this with.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
Sent: Monday, August 28, 2017 09:26
To: Amos Jeffries <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Block WebRTC Leak using Squid

Hi,

I have tried the below.

via on
forwarded_for delete
visible_hostname localhost
request_header_access User-Agent deny all

But still I am able to see original client local IP address and Client
Public IP address instead of tcp_outgoing_address as original client
IP.

Am i missed anything here?

On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <[hidden email]> wrote:

> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>
>> Thanks Amos, Can i use the above configuration even though I am using
>> tcp_outgoing_address in the squid conf?
>>
>> I want to make visible only tcp_outgoing_address only visible to
>> outside and not real client IP.
>>
>
> The second set of directives to hide the client will work.
>
> The first set to hide the proxy are kind of pointless when using a
> proxy-specific IP address / identifier on all traffic out of the proxy.
>
> Amos
>
>
>
>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>
>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>
>>>>
>>>> I am using http_port 3128 ( direct proxy )
>>>>
>>>
>>> Then:
>>>
>>>   # to hide the proxy
>>>   via off
>>>   forwarded_for transparent
>>>
>>>   # to hide the client
>>>   via on
>>>   forwarded_for delete
>>>   request_header_access User-Agent deny all
>>>
>>>
>>> As you may be able to tell from those you cannot hide both at once.
>>>
>>> Amos
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Sekar Duraisamy
browserleaks.com/ip . I am testing through Mozilla Browser

On Mon, Aug 28, 2017 at 12:47 PM, Eliezer Croitoru <[hidden email]> wrote:

> I remembered something so please also try:
> http://ngtech.co.il/ip.php
>
> and compare it to the output of:
> http://myip.net.il/
>
> and please let us know what browsers have you tested this with.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
> Sent: Monday, August 28, 2017 09:26
> To: Amos Jeffries <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] Block WebRTC Leak using Squid
>
> Hi,
>
> I have tried the below.
>
> via on
> forwarded_for delete
> visible_hostname localhost
> request_header_access User-Agent deny all
>
> But still I am able to see original client local IP address and Client
> Public IP address instead of tcp_outgoing_address as original client
> IP.
>
> Am i missed anything here?
>
> On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <[hidden email]> wrote:
>> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>>
>>> Thanks Amos, Can i use the above configuration even though I am using
>>> tcp_outgoing_address in the squid conf?
>>>
>>> I want to make visible only tcp_outgoing_address only visible to
>>> outside and not real client IP.
>>>
>>
>> The second set of directives to hide the client will work.
>>
>> The first set to hide the proxy are kind of pointless when using a
>> proxy-specific IP address / identifier on all traffic out of the proxy.
>>
>> Amos
>>
>>
>>
>>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>>
>>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>>
>>>>>
>>>>> I am using http_port 3128 ( direct proxy )
>>>>>
>>>>
>>>> Then:
>>>>
>>>>   # to hide the proxy
>>>>   via off
>>>>   forwarded_for transparent
>>>>
>>>>   # to hide the client
>>>>   via on
>>>>   forwarded_for delete
>>>>   request_header_access User-Agent deny all
>>>>
>>>>
>>>> As you may be able to tell from those you cannot hide both at once.
>>>>
>>>> Amos
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Amos Jeffries
Administrator
On 28/08/17 21:19, Sekar Duraisamy wrote:
> browserleaks.com/ip . I am testing through Mozilla Browser
>

One of the sites that use non-HTTP mechanisms to figure out their results.

Squid has nothing to do with the data sources they are actually using.
To see what details are being emitted through Squid use:
   debug_options 11,2

... and look at the server request headers.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block WebRTC Leak using Squid

Eliezer Croitoru
In reply to this post by Sekar Duraisamy
Thanks for this useful site.
This site cannot be used to test squid in any environment but only in a specific one.
What the links I gave you shows?
http://myip.net.il/
http://ngtech.co.il/ip.php

??
If you want to bullet proof you network and you have full control over it then you should use the next methods:
- Block any outgoing traffic to the internet from the internal network using a simple FireWall
- Intercept any traffic on port 53(both tcp and udp) into a local dns proxy and\or caching service

I have a running lab with a restricted access to the internet and I will try to see what the results will be there.

Don't mistake squid for being "un-usable" since it does what it can, but, if you or another person is the network admin you should consider the required and relevant solutions for your environment.
For example I have worked on servers which are connected to the Internet but have a very restrictive policy which do not allow installation of software or access to the network.
Either by iptables or selinux or group policies.

I am here if you need some advice about the next move with the issue.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: Sekar Duraisamy [mailto:[hidden email]]
Sent: Monday, August 28, 2017 12:20
To: Eliezer Croitoru <[hidden email]>
Cc: Amos Jeffries <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Block WebRTC Leak using Squid

browserleaks.com/ip . I am testing through Mozilla Browser

On Mon, Aug 28, 2017 at 12:47 PM, Eliezer Croitoru <[hidden email]> wrote:

> I remembered something so please also try:
> http://ngtech.co.il/ip.php
>
> and compare it to the output of:
> http://myip.net.il/
>
> and please let us know what browsers have you tested this with.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of Sekar Duraisamy
> Sent: Monday, August 28, 2017 09:26
> To: Amos Jeffries <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] Block WebRTC Leak using Squid
>
> Hi,
>
> I have tried the below.
>
> via on
> forwarded_for delete
> visible_hostname localhost
> request_header_access User-Agent deny all
>
> But still I am able to see original client local IP address and Client
> Public IP address instead of tcp_outgoing_address as original client
> IP.
>
> Am i missed anything here?
>
> On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <[hidden email]> wrote:
>> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>>
>>> Thanks Amos, Can i use the above configuration even though I am using
>>> tcp_outgoing_address in the squid conf?
>>>
>>> I want to make visible only tcp_outgoing_address only visible to
>>> outside and not real client IP.
>>>
>>
>> The second set of directives to hide the client will work.
>>
>> The first set to hide the proxy are kind of pointless when using a
>> proxy-specific IP address / identifier on all traffic out of the proxy.
>>
>> Amos
>>
>>
>>
>>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>>
>>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>>
>>>>>
>>>>> I am using http_port 3128 ( direct proxy )
>>>>>
>>>>
>>>> Then:
>>>>
>>>>   # to hide the proxy
>>>>   via off
>>>>   forwarded_for transparent
>>>>
>>>>   # to hide the client
>>>>   via on
>>>>   forwarded_for delete
>>>>   request_header_access User-Agent deny all
>>>>
>>>>
>>>> As you may be able to tell from those you cannot hide both at once.
>>>>
>>>> Amos
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> [hidden email]
>>>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users